Meltdown and Spectre Security Update

UPDATE: Friday, January 5 19:07 PST

As of 13:30 PST, AWS completed their patch deployment addressing tenant isolation threats. AWS reports they have restored the expected multi-tenancy protections similar to dedicated hardware, which leaves Heroku to address the kernel vulnerabilities in runtime host operating systems.

Heroku Performance, Private, and Shield dynos feature varying degrees of isolation from potentially hostile neighbors. However, the shared Common Runtime carries our highest priority for Meltdown (variant 3) mitigation work due to the nature of its shared infrastructure.

The ideal fix is to deploy the updated kernel from Canonical prior to the release of functional proof-of-concept exploit code for this vulnerability. As this patch is not yet available, the Heroku Security team has opted for a more rapid response.

Over the last 24 hours, Heroku Engineering has prepared our own upstream kernel deployment as an aggressive measure to protect the shared Common Runtime. We began deploying this update as soon as possible, beginning on Friday morning.

Heroku has now fully deployed this update to the US and EU shared Common Runtime, which will be replaced when the official Canonical update is made available.


On January 3, researchers disclosed a security vulnerability affecting side-channel analysis of speculative execution on modern computer processors (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).

Heroku’s Product Security team follows emerging trends, and partners closely with the research community. We invest heavily in facilitating conversations regarding vulnerabilities and keeping our customers safe via community partnerships.

In the case of emerging and recently-announced vulnerabilities (including those embargoed or leaked to the press), we have a proven methodology for ingesting, processing, and prioritizing mitigation work. Our team utilizes these methods to address these vulnerabilities as material or actionable information is made available.

Our Security and Platform teams are working closely with AWS and Canonical (makers of the Ubuntu Linux operating system) to investigate and patch any affected systems related to the Meltdown and Spectre announcements. If customer impact or coordination is required, we will post additional information via Heroku Status, DevCenter ChangeLog, or provide instructions and context via maintenance notification emails.

Browse the archives for news or all blogs Subscribe to the RSS feed for news or all blogs.